System and method for alerting on open file-share sessions assosciated with a device

ABSTRACT

A method and system for detecting an active file-share session on a monitored device associated with a client device, alerting the user of the client device, and enabling them to terminate the file-share session, are disclosed. In accordance with the disclosed method and system, when a remote device (e.g., on a network, the internet, etc.) connects to a shared file or folder on a monitored device (e.g., a personal computer, network area storage, a game console, a storage area network, a smart telephone, etc.) the user of the client device receives an immediate, automatic alert with the specifics of the file-sharing session and data affected. The user is then presented with an option of whether to OK the file-sharing session (i.e. allow data access to proceed), or to disconnect the file-share session (i.e. cause the remote user to lose access to the monitored device&#39;s shared data).

RELATED U.S. APPLICATION DATA

Continuation-in-Part of application Ser. No. 11/354,436, filed on Feb.15, 2006.

FIELD OF INVENTION

The present invention generally relates to the sharing of files andfolders among devices on a network; and, more particularly, to providinga device user with an alert, in real time, indicating a file or folderassociated with their device is being accessed by a remote device aspart of a file-sharing session; and, allowing the user to quicklyterminate that file-sharing session from their device.

BACKGROUND OF THE INVENTION

With nearly all electronic devices today connected to some sort ofnetwork—home, work or internet—the need to protect one's informationassociated with—or accessible to—one's computer or device is strongerthan ever. Individual devices join networks quickly and seamless, withthe mere act of turning on a laptop in more and more public places mayautomatically join that laptop to a network with thousands of otherusers. A network is designed to be a collaborative environment, so themeans of making one's files accessible to others, are at the core of alloperating systems.

Data stored on a user's device, as well as on devices associated with,or accessible to the user's device, is vulnerable to unauthorizedaccess. It is the objective of the present invention to allow a user tobe alerted of access to data associated with their device.

Various “defense strategies” to meet this challenge are on the market;however, none provides the functionality of the present invention. Beloware some examples of prior-art solutions to address some of thechallenges the present invention solves, and some reasons that thesesolutions do not meet the requirements set forth by the presentinvention.

Storage devices often require user authentication to access data.However, setting up granular user rights for every user on a trustednetwork (example a home local area network also know as a “LAN” ) andmatching the user rights to every type of data is usually impractical.For example, a home environment may contain a handful of users ondevices ranging from PCs to game consoles to iPhones® and other smartphones. A home network-area storage (“NAS”) may contain terabytes ofdata such as hundreds of movies, thousands of songs, tens-of-thousandsof documents and other data. Setting up user permissions on the NASallowing a Child A to access only some specific movies and music whileallowing a Child B to access another set of media and data-all whileChild A and Child B and the rest of the family may be logged into ahodgepodge of electronic devices under different user names; and whilegigabytes of new data (e.g. new movies and music) are added daily—is adaunting task for an entire IT organization, let alone a working parent.

Another defense layer is provided by firewalls and similar groups ofproducts. Firewalls fail to meet the objectives of the presentinvention, in part because the problem they were designed to solve is tokeep remote users from getting into one's device—not inform a user onwhat share sessions remote users have opened on his/her device, or on adevice associated with the user's device. Firewalls create a divisionbetween “my device” and “the outside world”. Traffic from the “outsideworld” to “my device” is intercepted at the packet level and, based onthe originating address of the packet and the port it is to be deliveredto, the traffic is either blocked or allowed to continue. In anaggressive firewall mode, where sharing traffic is blocked, users whoare trying to legitimately access shared files on a given device areblocked. These users are not challenged by a password mechanism and arenot asked what resources on the host device they would like toaccess—their access requests are summarily denied. In a non-aggressivemode, the firewall allows traffic in and for shares to be accessed, butoffers the user of the host device—the one whose files are beingaccessed—no further real-time information on what local files andfolders are being accessed remotely, and by whom.

An ever-increasing amount of data is stored on electronic devicesexternal to a person computer. For example, in a home environment, datasuch as movies and other types of media—as well as documents andfinancial data—are stored in external hard-drives and DVD players, NAS,game consoles and other devices. These external devices are typicallyaccessible to users on a local network (“LAN”). With most LANs beingwireless, the data may become vulnerable to access from external user(e.g. neighbors). A computer may inadvertently bridge two networks,compromising the data. For example, a home computer may be on a homeLAN, having access to the data on shared devices at home; and at thesame time, have access to the internet and offer some level of access toexternal users. External users able to access the home computer over theinternet may gain access to the data on the storage devices at home,also accessible to the home computer.

No single prior art, nor a combination of prior art solves the problemaddressed by the present invention: providing a user of a device withreal-time alerts when any data associated with their device is accessedby remote users; and, allowing the user to quickly terminate the remoteusers' access to the data.

DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and furtheradvantages thereof, references are now made to the following DetailedDescription, taken in conjunction with the drawings, in which:

FIG. 1 is a block diagram of the general system architecture allowingfor file-sharing alerts

FIG. 2 is an exemplary flowchart illustrating the operation of a systemin accordance with the present invention

FIG. 3 is a generalized block diagram illustrating an alert messagedisplayed to a user in response to the detection of a file-sharesession, according to one preferred embodiment.

FIG. 4 is a generalized block diagram illustrating monitoring storageassociated with a monitored device by a client device, according to oneembodiment of the present invention.

FIGS. 5A, 5B and 5C are generalized flow diagrams illustrating variousways in which a client device may interact with a monitored device todetect data access by a remote device, according to various embodimentsof the present invention.

SUMMARY OF THE INVENTION

A method and system for detecting an active file-share sessionassociated with a client device, alerting the user of the client device,and enabling them to terminate the file-share session, are disclosed. Inaccordance with the disclosed method and system, when a remote computer(e.g., on a network, the internet, etc) connects to a shared file orfolder (e.g. data residing on the client's electronic device, on agaming device, on a network area storage (“NAS”) or storage areanetwork(“SAN”) or any other storage medium on—or associated with—theclient device) the user of the client device receives an immediate,automatic alert with the specifics of the file-sharing sessionestablished through this connection. The user is then presented with anoption of whether to OK this file-sharing session, or to disconnect it(i.e. cause the remote user to lose access to the files or data).

DETAILED DESCRIPTION

FIG. 1 illustrates a block diagram of the general system architecture ofone embodiment of a file-sharing alert system 100 in accordance with thepresent invention. The system 100 includes a client-side applicationprogram 104 that is installed and executed on a client device 102 whichis connected to one or more networks 118 through which other computers120 may request to share files 114 and folders 112 on said client device102.

In the embodiment illustrated herein, client device 102 comprises anoperating system 108 which interacts with a file system 110 whichcomprises one or more shared folders 112 each comprising one or moreshared files 114. Files 114 and folders 112 are accessible to local useraccount 124. Client side application 104 obtains a list of files 114 andfolders 112 which are being opened by another computer 120 on network118 as part of a sharing session, and displays the names of files 114and folders 112 and the name of computer 120 which is accessing them, ona display device 116 of client device 102.

In a preferred embodiment, a system timer 126 is used to invoke thequerying of operating system 108 by client side application 104. Thehigher the frequency of timer 126 is, the more responsive the systembecomes and the more “real time” the alert 116 feels. An ideal frequencyfor timer 126 is under 1 cycle per second. The information obtained byapplication 104 from operation system 108 comprises values 122: name andIP address of remote device 120 owning the current share session, nameof file(s) 114 and folders(s) 112 being shared in the current sharesession, and the user credentials 124 under which the current session isopened.

In one embodiment of the present invention, a user viewing on display116 of client device 102 a list of files 114 and folders 112 which arebeing opened by remote computer 120, may choose an option to terminatethe sharing session, thereby disabling computer 120 from further openingshared files 114 and folders 112. Upon a user on client device 102issuing such command, client-side application 104 instructs operatingsystem 108 to terminate the sharing session which is allowing computer120 to view and/or manipulate files 114 and folders 112.

Information pertaining to the specifics of each sharing session and theuser's decision as to whether to allow or terminate said session, arewritten by client-sided application 104 to memory 106. In futureiterations, when client-sided application 104 is informed by operatingsystem 108 of a sharing session by computer 120 accessing files 114 andfolders 112 on client device 102, client-sided application 104 can referto memory 106 to make a determination as to whether a user on clientdevice 102 had already been informed of this particular session, and actin accordance with the desires and instructions of said user.

For example, if user on device 102 had been alerted and informed throughdisplay 116 that computer 120 has opened a sharing session with files114 in folders 112, and said user had determined said sharing sessionshould be allowed to continue and said determination has been indicatedin memory 106, in future detections of said sharing session,client-sided application 104 may not alert the user again of saidsharing-session.

FIG. 2 illustrates a flowchart which describes one embodiment of asystem operating in accordance with the present invention. Process 1002is driven by a system-timer which queries the operating system to make adetermination as to whether one or more open share-sessions 1004 arepresent. If one or more share-sessions are present, step 1006 obtains alist of all such open share-sessions. Step 1008 extracts the name of thefirst open share-session from list obtained in step 1006. Step 1010compares the name of the session obtained in step 1008 with names of allsessions previously identified and now stored in memory.

If the current open share-session is determined to be in memory by step1012, it is assumed the user had already had a chance to okay thissession, and so step 1014 determines whether there is another session tobe examined in list of open share-sessions obtained in step 1006. Ifstep 1014 determines there is another session to be examined, step 1016obtains the next open share-session's name and step 1010 is repeated forthe new open share-session name obtained in step 1014. Once step 1012determines a given open share-session's name is not in memory, step 1018alerts the user with the specifics of the current open share-session instep 1010. Such alert may include the name of the remote device owningthe share-session, as well as the specific files and/or folders on thelocal device which are being accessed via this share-session and thename of the user on the local device under whose credentials theshare-session is conducted.

As part of alert 1018, the user may be presented with an option as towhether to “okay” or terminate the current share-session. If the userchooses to “okay” this share-session in step 1020, the name of thisshare-session is added to the application's memory for future referencein step 1010. If the user chooses to terminate this share-session instep 1020, step 1024 issues a command to the operating system of theclient device to delete the current share-session. Step 1014 is thenrepeated until all open share-sessions obtained in step 1006 have beenexamined.

FIG. 3 is a generalized block diagram illustrating an alert messagedisplayed to a user in response to the detection of a file-sharesession, in one preferred embodiment. Display area 300 (e.g. a MicrosoftWindow® desktop, a smart phone's desktop or the desktop of any otherelectronic client device) may display an alert window 301 indicating tothe user the existence of an open share-session on their client device.Alert 301 includes the name of the remote device 302 owning the currentopen share-session, as well as the name of the folder 304 being accessedand the name of the user 306 on the local client device, whosecredentials are being used to facilitate this open share-session.Additional information may be made available to the user by clicking onlink 310. In other embodiments of the current invention, additionalinformation may be presented to the user via any other audio or visualmeans, as available on the client device.

Alert window 301 may also include a button 312 to terminate the currentopen share-session and a button 308 to “ok” the current openshare-session (e.g. labeled “ignore”). Button 312 sends an instructionto the operating system to terminate the current open share-sessionalluded to by alert window 301. (The functionality toterminate/delete/drop/close an open share-session is built into alloperating systems and would result in an error occurring on the remotedevice owning this connection, indicating to the user on that remotedevice, that the folders and/or files this connection has given theremote device access to, have become inaccessible.) “Ignore” button 308indicates the user of the client device has consented to the presentopen share-session, and that alert window 301 should no longer bedisplayed in the future to alert to the presence of this specific openshare-session.

This functionality is accomplished by adding the name of this specificopen share-session to the client device's memory maintained by theclient-sided application. In that manner, the next time the client-sidedapplication would detect the presence of the specific openshare-session-previously Okayed by the user and recorded in memory—alertwindow 301 will not be displayed.

FIG. 4 is a generalized block diagram illustrating monitoring storageassociated with a monitored device by a client device, according to oneembodiment of the present invention. A client device 402 may be anydevice capable of accessing remote data over any type of network (e.g. acomputer, mobile device such. as a smart phone, a game console, etc.)

A monitored device 410 may be any electronic device capable of (1)storing data and (2) sharing the stored data over a network. Examples ofmonitored devices are PCs, SANs, NASs, game consoles, mobile devices,digital video recorders, external hard drives, DVD players, USB storageetc.

The monitored device 410 may contain an operating system (“OS”) 412allowing for—in addition to other common OS functionality—communicationwith other networked devices 402 and 406. The OS 412 may also allowaccess to data 414 stored on the monitored device. 410. The OS 412 mayalso allow other networked devices 402 and 406 to access the data 414.

The client device 402 may establish communication with the OS 412 of themonitored device 410 and request to monitor remote access to the data414 managed by the OS 412. Various methods and embodiments forfacilitating such request exist and are discussed throughout thisdocument

A remote device 406 (any device capable of electronic communication andfile access, e.g. a computer, mobile device such as a smart phone etc.)may establish communication with the monitored device 410.

The remote device 406 may request from the OS 412 of the monitoreddevice 410 to access the data 414 on the monitored device 410. As matterof common practice, the OS 412 may authenticate the user rights and/ordevice-rights of the remote device 406 before allowing access to thedata 414, as disclosed in various prior art.

In one preferred embodiment of the present invention, the OS 412 maydeliver an electronic communication to the client device 402, informingthe user of the client device 402 of the data access by the remotedevice 406 into the data 414.

In an alternate preferred embodiment, the OS 412 may automaticallysuspend the data access by the remote device 406 (i.e. making the data414 inaccessible to the remote device 406) and deliver a message (e.g.an alert) to the user of the client device 402. The message may containinformation with various specifics on the nature of the remote dataaccess (e.g. the name of the remote device 406, the user credentials ofthe remote device 406, the specific subset of data, e.g. file names andfolders, of the data 414 being accessed, etc.) The message may allow theuser of the client device 402 to allow the data access to resume (e.g.with the user of the client device 402 pressing an “OK” button in thealert message), in response to which the data access may be resumed bythe OS 412.

In various other possible embodiments other steps and components may beinvolved to facilitate the operation of the present invention. Forexample, the OS 412 may include a separate software application tohandle any or all the functionality described above and attributed tothe OS 412.

FIGS. 5A, 5B and 5C are generalized flow diagrams illustrating variousways in which a client device may interact with a monitored device todetect data access by a remote device, according to various embodimentsof the present invention. The devices described herein are anyelectronic devices capable of any form of electronic communication, e.g.computing/telephony devices communicating over a TCP/IP network. Pleasenote that the terms local device, managed device and remote device areused herein to differentiate devices according to their arbitrary rolein this illustration, and do not imply any real difference among thesedevices.

Referring to FIG. 5A, flowchart 500 illustrates associating data on amonitored device with a client device, in one preferred embodiment. Atstep 502, a client device may transmit its credentials to a monitoreddevice. In network-based computing it is common practice to associateuser credentials with a device and transmit the credentials to remotedevices to gain various levels of access. For example, a client devicemay require a user logon, such as user name and password, and maytransmit these logon credentials to a second device (herein “manageddevice”). The managed devices may then authenticate the logoncredentials against a local data store, a remote data store (e.g. ActiveDirectory®) and may implement a policy determining what operations theclient device may perform, and what data the client device may access,on the managed device.

At step 504, the monitored device may authenticate the credentialsreceived from the client device and may determine an entitlement by theclient device to query data on the monitored device. At step 506 theclient device may query the monitored device for data stored on themonitored device (or associated with. the monitored device) that isaccessible over the network or by another user associated with themonitored device (e.g. media files on the monitored device accessibleover the network.)

At step 508, in response to the query at step 506, the monitored devicemay transmit to the client device a list of the data accessible via filesharing. The data may be presented to the user of the client device invarious forms, for example as a tree-hierarchy folder structure,allowing the client to drill into folder contained in the data, anddetermine their file contents.

At step 510, the user of the client device may select specific data tobe monitored. For example, the user of the client device may select(e.g. via checking with a pointing device) names of flies or folders onthe monitored device to be monitored for external file sharing access.

At step 512, the monitored device may instantiate monitoring of theselected subset of data. Monitoring may be conducted by the OS or anyother software, such as services/daemon applications.

Referring now to FIG. 5B, flow diagram 550 illustrates a remote deviceconnecting to the monitored device, requesting access to shared data andgenerating a response by the monitored device.

At step 552, a remote device may connect to the monitored device, forexample over a network. In other examples, the remote device may be aperipheral of the monitored device.

At step 554, an authentication process may take place, facilitating theconnection of the remote device to the monitored device. Authenticationmay require the passing and authentication of user credentials, and mayinvolve the use of one or more layers such as firewalls, proxies, OS,Active Directory, a repository of user profiles, etc.

At step 556 the remote device may query the monitored device foraccessible shared data. For example, the remote device may request alist of all files and folders on the (or associated with) the monitoreddevice that had been designated as shareable to remote users.

At step 558 the remote device may request specific data from the datadeemed shareable at step 556. Please note that steps 556 and 558 areillustrative and may be consolidated into one step; or, divided into amany granular smaller steps.

At step 560, it may be determined whether the data requested at step 558is being monitored by the monitored device (refer to FIG. 5A, step 510for an illustrative selection of specific subsets of data to bemonitored.) If it is determined at step 560 that the specific datarequested at step 558 is not monitored, at step 562 the requested datamay be transmitted to the remote device (provided the remote device isentitled to access the data considering other authenticationrequirements outside the scope of this invention, example NTFSpermissions or Active Directory profiles or file/folder permissions,etc.)

If it is determined at step 560 that the requested data is monitored, atstep 564 it may be determined whether the monitoring policy (i.e. thepolicy set by the monitored device in conjunction with the clientdevice) allows for the sharing requested at step 558.

For example, in one preferred embodiment, sharing/data access isautomatically suspended by the monitored device until the sharing isapproved by the client device.

If at step 564 it is determined the policy does not restrict sharingautomatically, at step 566 the remote device may gain access to therequested shares/data

At step 568 an electronic message (e.g. alert) may be transmitted to theclient device alerting of the new data access/share session. If at step564 it is determined the policy requires automatic suspension of all newdata access/ share requests, step 566 may be skipped and step 568 may beinvoked.

At step 570 the user of the client device may receive the message/alertinforming them of the new share/data access session. The alert may bevisual, contain audio, be sent to the user via a plurality of channelssuch as voice, electronic messages, text, etc. The alert may containinformation on the specific data being accessed, the identity of theuser of the remote device, etc.

Referring now to FIG. 5C, the message/alert 570 displayed to the usermay be interactive, allowing the user of the client device to transmitan instruction to the monitored device to take various actions.

At step 572, user input may be collected to determine the type of actionto take. For example, the user may press a button such as “terminateimmediately”, or select from a list of action items; communicate amessage to the user of the remote device, display an alert on the remotedevice, etc.

If at step 574 it is determined that the input received at step 572indicated no adverse action to stop the share session, at step 580 noaction may be taken, allowing the share to continue unabated. Pleasenote that if the policy had automatically suspended sharing (asdiscussed in one ramification in FIG. 5B), following step 574 anautomatic instruction may be transmitted to the monitored deviceresuming the data sharing session, prior to the termination of the flowat step 580.

If it is determined at step 574 that the user input at step 572 hadrequested the termination of the data share session on the monitoreddevice, at step 576 an electronic message may be transmitted to themonitored device to terminate the shared session.

At step 578, the monitored device may terminate the share session, i.e.prohibiting any further access to the data by the remote device. Forexample, in a home environment, a child (i.e. remote user) may requestaccess to a movie on a storage device (i.e. monitored device) and, afterstandard user authentication; the movie may start transmitting to thechild's remote device. The parent (i.e. client device) may receive animmediate alert on their own device specifying their child isdownloading a specific movie from the storage device. The parent's alertmay display a button such as “suspend access”, which the parent maypress, causing the storage device to suspend the transmission of themovie to the child's remote device.

In alternate possible embodiments, various different methods may be usedto implement the present invention, along the generalized outline inFIGS. 5A-5C, involving various software, networking and hardwarecomponents.

While various embodiments of the present invention have been describedin detail, it is apparent that further modifications and adaptations ofthe present invention will occur to those skilled in the art. However,it is to be expressly understood that such modifications and adaptationsare within the spirit and scope of the present invention.

1. A method of protecting data against unauthorized access over anetwork, wherein the data is associated with an electronic device and isaccessible via active file-share sessions, comprising: determiningwhether there are active file-share sessions associated with saidelectronic device; in the event at least one active file-share sessionis determined to exist, determining whether the at least one activefile-share session is included on an approved share-session list; in theevent the at least one active file-share session is determined not to beon the approved share-session list, retrieving identifying informationof a remote device associated with the at least one active file-sharesession; and sending an alert, wherein the alert includes theidentifying information of the remote device.
 2. The method of claim 1,wherein the alert also includes an approval request providing arecipient of the alert a capability to approve or terminate the at leastone active file-share session;
 3. The method of claim 2, wherein inresponse to receiving an approval from said recipient, including on theapproved share-session list the at least one active file share session;and in response to receiving a denial from said recipient, terminatingthe at least one active file-share session.
 4. The method of claim 1,wherein the remote device identifying information includes a name and aninternet protocol (“IP”) address of the remote device.
 5. The method ofclaim 1, wherein the alert includes identifying information specifyingany files or folders associated with the at least one active file-sharesession determined not to be on the approved share-session list.
 6. Themethod of claim 1, wherein the alert includes information specifyinguser credentials under which the data associated with the at least oneactive file-share session are determined not to be on the approvedshare-session list are accessed.
 7. The method of claim 1, wherein thedata resides externally to the electronic device.
 8. The method of claim1, further comprising: in the event at least one active file-sharesession is determined to exist, suspending access to the at least oneactive file-share session; in response to receiving an approval fromsaid recipient, reinstating access to the at least one active file-sharesession.
 9. The method of claim 1, further comprising: recording a logof the determination and the alert presented, the log including thereceived denial or approval associated with the alert.
 10. The method ofclaim 1, further comprising: initiating the determination of whetherthere are active file-share sessions on said electronic device.
 11. Themethod of claim 10, wherein the initiating step is initiated by a timer.12. The method of claim 11, wherein the timer is operated at a frequencyof greater than 1 cycle per second.
 13. The method of claim 10, whereinthe initiating step is invoked by an operating system on the electronicdevice.
 14. The method of claim 10, wherein the initiating step isinvoked upon detection of access to a file or folder associated withsaid electronic device.
 15. The method of claim 10, wherein theinitiating. step is invoked by an operating system on a second deviceassociated with the data.
 16. The method of claim 15, wherein the dataresides on a network area storage device.
 17. The method of claim 7,wherein the data resides on a mobile device.
 18. The method of claim 7,wherein the data resides on a digital video recorder.
 19. The method ofclaim 7, wherein the data resides on a gaming system.
 20. The method ofclaim 7, wherein the data resides on a storage area network.
 21. Themethod of claim 7, wherein the data resides on a universal-serial-busdevice.
 22. A method of controlling access to data files associated witha first electronic device, wherein the data files reside on a secondelectronic device accessible to the first electronic device, comprising:determining whether a third electronic device is attempting to create afile-share session associated with the second electronic device; in theevent of a determination that the third electronic device is attemptingto create a file-share session, collecting identifying information ofthe third electronic device; and sending an alert wherein the alertcontains the identifying information and an approval request, whereinthe approval request provides a recipient of the alert a capability toapprove or reject the attempt to create the file-share session; andreceiving input from the recipient; in the event the input is anapproval, allowing the third electronic device to create a file-sharesession; and in the event the input is a denial, terminating the attemptto create a file-share session.
 23. The method of claim 22, furthercomprising: in the event the input is an approval, entering thecollected identifying information of the third electronic device in anapproved open share-session list, and prior to sending an alert,determining whether the file-share session is associated with a remotedevice specified in the approved share-session list; in the event thefile-share session is associated with a remote device specified in theapproved share-session list, allowing the third electronic device toaccess the file-share session.
 24. The method of claim 22, wherein thealert is sent to a user of the first electronic device.
 25. The methodof claim 22, wherein the first electronic device is connected to thesecond electronic device over a network.
 26. The method of claim 22,further comprising: determining at least one data file affected by thefile-share session; and including a name of the at least one data filein the alert.
 27. The method of claim 22, further comprising:determining at least one data file folder affected by the file-sharesession; and including a name of the at least one data file folder inthe alert.
 28. A method of alerting a user of a primary electronicdevice of access to data on a monitored electronic device by a remoteelectronic device, comprising: associating data on the monitoredelectronic device with the primary electronic device; detecting anattempt by the remote electronic device to access the data on themonitored electronic device; and sending an alert to the primaryelectronic device.
 29. The method of claim 28,-wherein-the step ofassociating the data on-the monitored device further includesauthenticating the user with the monitored electronic device.
 30. Themethod of claim 28, wherein the step of associating-the data furtherincludes selecting at least some of the data on the monitored electronicdevice for monitoring.
 31. The method of claim 30, wherein the selectionis made by the user of the primary electronic device.
 32. The method ofclaim 28, wherein the monitored electronic device contains executablecode to persistently monitor data access by remote electronic devices.33. The method of claim 32, wherein the monitored electronic devicesends an electronic notification to the primary electronic device upondetecting an attempt.
 34. The method of claim 28, wherein the primaryelectronic device electronically polls the monitored electronic devicefor the attempt to access the data by the remote electronic device. 35.The method of claim 28, wherein the alert contains at least someidentifying information on the remote electronic device.
 36. The methodof claim 28, wherein the alert also includes an approval requestproviding a recipient of the alert a capability to approve or terminatethe access to the data.
 37. The method of claim 36, wherein in responseto receiving a denial from the recipient, terminating the access to thedata.
 38. The method. of claim 36, further comprising: in the event anattempt to access the data is detected, suspending access to the data;in response to receiving an approval from said recipient, reinstatingaccess to the data.